Solved: different default route for private network

tolinrome tolinrome · ‎06-01-2021

Hello all, On my layer 3 switch there are many private networks, and all networks are routable to each other. If there is a request that isnt for one of those networks, then of course it will go to the default route 0/0 x.x.x.x(internet). How though, do I make it where I want a specific network, say, 172.16.1.0 to go to a different default route rather than x.x.x.x like all the other routes, but I want it to go to one of y.y.y.y?

So, 172.16.1.0 can route to all the other RFC 1918 private networks but when it wants to go to the internet it uses another default rou

Richard Burts · ‎06-01-2021

Am I understanding the post correctly: there is a single layer 3 switch providing intervlan routing for multiple vlans/subnets. Inter vlan routing is successful and any device in any of the private subnets can access any address in other private subnets within the organization network. And any device in any of the private subnets can successfully access the Internet. Now you want to make a change such that subnet 172.16.1.0 can still access any of the private networks using the existing routing logic but if 172.16.1.0 wants to access the Internet that it will use a different gateway address.

If that understanding is correct you would be able to achieve this by configuring Policy Based Routing. For policy based routing you would follow these steps:

1) configure an extended access list. The first several lines of the acl would deny traffic if source address is 172.16.1.0/24 and the destination address is 10.0.0.0/8, or is 172.16.0.0/12, or is 192.168.0.0/16. The last statement in the acl would permit ip 172.16.1.0/24 any. The logic here is that the acl controls the special routing used for PBR. You deny 172.16.1.0 to any private network so that they would use normal routing, and then you permit 172.16.1.0 to any so that it would use the special gateway.

2) configure a route map. In the route map you would have a match statement which uses the acl that you configured and would have a set statement which specifies the new gateway address.

3) on the SVI for 172.16.1.0 you configure ip policy <route-map>

HTH

Rick

View solution in original post

Richard Burts · ‎06-01-2021

Am I understanding the post correctly: there is a single layer 3 switch providing intervlan routing for multiple vlans/subnets. Inter vlan routing is successful and any device in any of the private subnets can access any address in other private subnets within the organization network. And any device in any of the private subnets can successfully access the Internet. Now you want to make a change such that subnet 172.16.1.0 can still access any of the private networks using the existing routing logic but if 172.16.1.0 wants to access the Internet that it will use a different gateway address.

If that understanding is correct you would be able to achieve this by configuring Policy Based Routing. For policy based routing you would follow these steps:

1) configure an extended access list. The first several lines of the acl would deny traffic if source address is 172.16.1.0/24 and the destination address is 10.0.0.0/8, or is 172.16.0.0/12, or is 192.168.0.0/16. The last statement in the acl would permit ip 172.16.1.0/24 any. The logic here is that the acl controls the special routing used for PBR. You deny 172.16.1.0 to any private network so that they would use normal routing, and then you permit 172.16.1.0 to any so that it would use the special gateway.

2) configure a route map. In the route map you would have a match statement which uses the acl that you configured and would have a set statement which specifies the new gateway address.

3) on the SVI for 172.16.1.0 you configure ip policy <route-map>

HTH

Rick

paul driver · ‎06-02-2021

Hello
As suggested by Rick , PBR would the way to accomplish your request, please see the example below which is slightly different to what rick suggested as it involves using both a specific deny pbr stanza that will allow normal routing and a permit all pbr stanza that will policy route all other traffic towards your internet default path..

PBR example:

ip access-list extended PBR-Internet_acl
permit ip any 172.16.0.0 0.0.252.255
permit ip any 10.0.0.0 0.255.255.255
permit ip any 192.168.0.0 0.0.255.255

route-map PBR-Internet_rm deny
match ip address PBR-Internet_acl

route-map PBR-Internet_rm permit 99
set ip next-hop x.x.x.x (internet next hop)

interface x/x (172.16.1.0 subnet interface)
ip policy route-map PBR-Internet_rm

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎06-02-2021

Paul and I agree that PBR is the approach to achieve the alternate routing to Internet for a specified subnet. He suggests a slightly different approach in PBR. Correctly configured either approach should achieve the desired result. I find that the logic in PBR stanzas using deny logic is more subtle and easier to make mistakes as compared to logic in permit stanzas. So in making suggestions to people with little experience with PBR I generally suggest the approach with a single stanza and where the permit and deny distinction is in the access list, which I believe is easier for beginners. But correctly configured either approach should work just fine.

Picky point: the subnet mask here is not correct

permit ip any 172.16.0.0 0.0.252.255

HTH

Rick

tolinrome tolinrome · ‎06-03-2021

Thank you both very much for your help, I preferred the former answer.

Richard Burts · ‎06-03-2021

You are welcome. The approach suggested by Paul is perhaps more sophisticated while my approach is a bit more simple. Either of them would work. It is a question of which you feel more comfortable with. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick